diff options
author | John MacFarlane <jgm@berkeley.edu> | 2015-07-07 11:15:40 -0700 |
---|---|---|
committer | John MacFarlane <jgm@berkeley.edu> | 2015-07-07 11:15:40 -0700 |
commit | 9e528f4c0ce47c3ae7d233ba9627d2ed3df60fd7 (patch) | |
tree | 2964da504b5f7cb899a1ae245e3a2e99915f84e4 | |
parent | 7398dea65fd57281b73698fdbf5c709bf0e64ed7 (diff) |
Fixed email javascript obfuscation with mailto: URLs.
This fixes a potential security issue. Because single quotes weren't
being escaped in the link portion, a specially crafted email address
could allow javascript code injection.
[Jim'+alert('hi')+'OBrien](mailto:me@example.com)
Closes #2280.
-rw-r--r-- | src/Text/Pandoc/Writers/HTML.hs | 4 | ||||
-rw-r--r-- | tests/writer.html | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/src/Text/Pandoc/Writers/HTML.hs b/src/Text/Pandoc/Writers/HTML.hs index 8de34ace8..a1594b2c4 100644 --- a/src/Text/Pandoc/Writers/HTML.hs +++ b/src/Text/Pandoc/Writers/HTML.hs @@ -375,8 +375,8 @@ obfuscateLink opts (renderHtml -> txt) s = (linkText, altText) = if txt == drop 7 s' -- autolink then ("e", name' ++ " at " ++ domain') - else ("'" ++ txt ++ "'", txt ++ " (" ++ name' ++ " at " ++ - domain' ++ ")") + else ("'" ++ obfuscateString txt ++ "'", + txt ++ " (" ++ name' ++ " at " ++ domain' ++ ")") in case meth of ReferenceObfuscation -> -- need to use preEscapedString or &'s are escaped to & in URL diff --git a/tests/writer.html b/tests/writer.html index 1357fa7c4..4a60a7b97 100644 --- a/tests/writer.html +++ b/tests/writer.html @@ -481,7 +481,7 @@ Blah <p><script type="text/javascript"> <!-- h='nowhere.net';a='@';n='nobody';e=n+a+h; -document.write('<a h'+'ref'+'="ma'+'ilto'+':'+e+'" clas'+'s="em' + 'ail">'+'Email link'+'<\/'+'a'+'>'); +document.write('<a h'+'ref'+'="ma'+'ilto'+':'+e+'" clas'+'s="em' + 'ail">'+'Email link'+'<\/'+'a'+'>'); // --> </script><noscript>Email link (nobody at nowhere dot net)</noscript></p> <p><a href="">Empty</a>.</p> |